Winfried de Heiden via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
OTP using IPA 4.5 on CentOS seems to work well. However: I can force
a user to use OTP and/or a host.
Authentication indicators won't work that way...
Selecting a user, ALL authentication needs OTP. Since sudo in this
case will ask for OTP also, this turn out
quite inconvenient. Is is possible to select only certain services for OTP. for example:
login using SSH --> OTP
login ftp --> OTP
console --> password only
sudo --> password only
Not easily with FreeIPA, but I do something similar with Privacyidea and
Yubikeys. In FreeIPA I authenticate my user with RADIUS (freeradius and
Privacyidea). In Privacyidea my user has a Yubukey token assigned, so I
log on with password+OTP when logging in. When I do sudo I have a
special PAM config: Users with a yubikey authenticate only with OTP
instead of "NOPASSWD" - that way I don't need to type my password, but
still have some authentication going on.
You can't do that with tokens defined in FreeIPA, but looking at PAM
options might help you to get something working. Do you use hardware
tokens or a smartphone app/soft token?
Jochen
--
This space is intentionally left blank.